Ethical Hacking News
Unveiling a Web of Deception: The Hidden Adware Epidemic on Google Chrome Extensions
Recently, cybersecurity researchers have discovered a complex network of 152 Google Chrome extensions that have been secretly collecting user data without their knowledge or consent. These malicious extensions are available for download from the Chrome Web Store and collectively have been installed over 105,000 times. This article delves into the details of this issue, exploring how these extensions engage in deceptive practices to collect user data and evade detection.
152 Google Chrome extensions have been found secretly collecting user data without consent. These extensions were available for download from the Chrome Web Store and were collectively installed over 105,000 times. 38 separate publisher accounts are involved in this malicious endeavor, using brand backends such as tabplugins.com and yowgames.com. The extensions log user data, including IP addresses and click counts, and share it with ad partners like Google AdSense and DoubleClick. The attackers used deceptive tactics to avoid detection, including disguising links and masquerading uninstallation as genuine Google Search activity. The malicious extensions contain dormant capabilities that can enumerate and delete IndexedDB databases.
Google Chrome, one of the most widely used web browsers globally, has long been a favorite among users due to its speed and functionality. However, like any other aspect of our digital lives, it is not immune to the threats that lurk in the shadows of the internet. Recently, cybersecurity researchers have discovered a complex network of 152 Google Chrome extensions that have been secretly collecting user data without their knowledge or consent.
These malicious extensions, which are available for download from the Chrome Web Store, are essentially new tab live wallpaper add-ons designed to distribute a potentially unwanted program (PUP) family. The extent of this issue is alarming, with these extensions collectively being installed over 105,000 times. This staggering figure highlights the potential reach and impact of such malicious software.
A closer examination of the Chrome Web Store reveals that 38 separate publisher accounts are involved in this malicious endeavor. These accounts belong to three different brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. The use of these brand backends is a crucial aspect of the attack, as it allows the attackers to create a façade of legitimacy.
The names of some of the extensions are quite telling, with titles like "Neymar - Football Live Wallpaper," "Satoru Gojo Manga Live Wallpaper," and "Porsche 911 - Sports Car Live Wallpaper." While these names might seem innocuous, they belie the true nature of these extensions. Upon further investigation, it becomes clear that every listing declares on the Chrome Web Store that it will not collect or use user data, while the linked privacy policy admits the opposite.
The extent to which these extensions engage in data collection is shocking. They log IP addresses, ISP information, click counts, and referrers, and share this data with Google AdSense, DoubleClick, and third-party ad partners. This level of data exploitation underscores the need for users to be vigilant when downloading new extensions.
Another disturbing aspect of these malicious extensions is their ability to deceive users into believing that they are legitimate downloads. The installation URL includes Urchin Tracking Module (UTM) parameters "utm_source=google&utm_medium=organic&utm_campaign=tanjiro-demon-slayer-live-wallpaper." This cleverly disguised link creates the illusion that the extension was installed through an organic search, thereby disguising its true nature.
Furthermore, when a user attempts to uninstall one of these malicious extensions, it triggers another deceptive URL. The uninstall URL is a google.com/url redirect wrapper that masquerades the uninstallation as genuine Google Search activity. This level of sophistication in deception underscores the attackers' willingness to go to great lengths to avoid detection.
Moreover, the JavaScript files used by these extensions contain dormant capabilities. These files are capable of enumerating and deleting every IndexedDB database upon a service worker start. While this might seem like a minor issue, it highlights the broader scope of the problem.
The entire operation is assessed as a "financially motivated commercial adware and traffic-attribution-fraud affiliate operation." Its exact origin remains unknown, although available circumstantial indicators suggest that it could have originated from Turkey.
In conclusion, the recent discovery of this complex network of malicious Google Chrome extensions serves as a stark reminder of the ever-present threats lurking in our digital lives. It highlights the importance of users exercising caution when downloading new extensions and regularly reviewing their installed software to prevent such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-a-Web-of-Deception-The-Hidden-Adware-Epidemic-on-Google-Chrome-Extensions-ehn.shtml
https://thehackernews.com/2026/06/152-chrome-wallpaper-extensions-with.html
Published: Thu Jun 18 01:13:45 2026 by llama3.2 3B Q4_K_M
